are any of them apart from Whatsapp secure?

How do you persuade a reluctant German with an online business that it might be ok (or not) that a family call would be appreciated!!

Nothing is secure if it’s used by idiots. My organization is having a meltdown and trying to pretend to be adjusting to circumstances. Everything we do can be done by email. Here’s the last message I bothered to read, it’s from a guy who has trouble logging in to Office 365 and doesn’t understand why the IT department are so “bureaucratic”:

Hi everybody,

Just a couple quick things before the Zoom meeting (in less than one hour):

Joe Bloggs has put up a series of short videos about using Zoom that are very useful.

One thing I’d like to briefly touch on is Zoom vs MS Teams (which is already part of our Office 365 suite) vs Google Meet (which is integrated with Google’s office apps). So if anybody has experience with these other two apps, please tell us your opinions.

Also, Moe Bloggs has suggested that we use Slack for communication between each other. I have some experience with Slack, and it is useful. However, I see that Teams may incorporate the things we might want from Slack, which could mean we don’t need to have two apps.

Here is the info again for joining today’s meeting:

^^ Did Trump write that?!😦

Seems there’s a variety of security and privacy issues with Zoom. They claim it is end to end encrypted, but it isn’t really. And they are collecting your data, then selling it on to Facebook etc.

https://www.theguardian.com/technology/2020/apr/02/zoom-technology-security-coronavirus-video-conferencing
https://www.tomsguide.com/uk/news/zoom-security-privacy-woes

NCSC have assured it up to Official classification, which in my line is chatting about the weather before a meeting. Boris Johnson is using it for cabinet meetings.

It’ll be interesting to see what personal information is worth mining in the forthcoming new normal.

So I think I’ll crack on with my ‘web cam’ venture using zoom 🤪

Personally, I have put together enough notes on Zoom to consider it a significant privacy and security risk to not recommend it for use, but I do work in Europe, so things are different than the U.K.

I would certainly not use it for sensitive or government work unless I wanted that information leaked to China (see recent Zoom disclosure) or stored on US servers.

The problems is very much one of convenience versus security. A lot of the time you have to trade one for the other. Setting a password or using a meeting room with Zoom stops people just randomly joining your meeting, but means that legit users can’t just use a web browser and have to use their shitty, data-mining app.

If you just want a secure way of talking/messaging someone, use Signal. iMessage is also good.

No it’s not. And BJ did use it to host a video con of a meeting of the cabinet.

For a slightly technical take on it

https://www.theregister.co.uk/2020/04/03/dont_use_zoom_if_privacy/

https://www.theregister.co.uk/2020/04/01/zoom_spotlight/

I don’t understand how a cabinet meeting can use it – surely a cabinet meeting is official-sensitive? The government agency I’m assigned to are only allowed to hold things such as recruitment interviews on Teams or Zoom, nothing operational is allowed to be discussed on them. Didn’t Zoom also ‘accidentally’ route traffic via China recently as well?

Zoom concerns are overblown.

I would certainly not use it for sensitive or government work unless I wanted that information leaked to China (see recent Zoom disclosure) or stored on US servers.

Neither would I, but for what 99% of us do in meetings any small security risk is irrelevant. Nobody that understands how to target your specific meeting cares about your latest team update, let alone what you say to you mates over an evening zoom drink.

And if you are worried about Facebook/google getting data about you – they get it already. The way to stop that is be VERY savvy on how to use the privacy settings that 99% of us never use.

And as for hackers supposedly accessing cameras through zoom, thanks to people not setting their camera security there are plenty of cameras out there that are easily accessible to anyone without zoom.

Summink about free, summink about you are the product.

(Yeah I know it has subscription and corporate models too but all the Jonny-come-latelies will be using it for nowt)

J-R, do you have any links on how to become “VERY savvy”? I try, but find it an absolute nightmare jungle of ever changing confusion.

There is a bit of a difference between Zoom and, say, Hangouts or Meet. Google genuinely does offer end-to-end encryption (so does WhatsApp) and so it makes it difficult/impossible for eavesdropping. Slack also offers that, but only if you provide your own crypto, which is a more expensive option.

The same thing with the data warehousing… With something like Google, you can insist on using EU datacentres only, giving you, if you are covered by it, protection under GDPR with the correct Data Processing Agreement. A company like Zoom may not have specific EU DCs and it may not have a contract that allows you to use EU-only or fail, rather than EU-only, then failover to US.

For all its faults, Google has a really big security team and a really big focus on operational security. Oddly, I trust them more to be open about this than something like Zoom.

J-R, do you have any links on how to become “VERY savvy”? I try, but find it an absolute nightmare jungle of ever changing confusion.

I’m know enough to know I’m not that savvy, so I just don’t use FB and I accept Google knowing where I go and what I search for an acceptable price for their services.

If I worked for the security services or was planning a crime I’d possibly take a different view.

J-R thanks for the reply. Sounds similar my stance. Though I only “accept” google knowing everything very begrudgingly, so use (mostly) DuckDuckGo.

I don’t understand how a cabinet meeting can use it – surely a cabinet meeting is official-sensitive?

Given they shared the meeting publicly the exercise was more about the optics – ‘We’re all in it together’ than the actual machine of government. They used zoom because its a publicity stunt. I bit like when William Hague’s shadow cabinet all had a dress down Friday to prove they were just like us.

No, it’s not, and the biggest issue I have with it is that they’re actively dishonest about that. For instance, their touted “end to end encryption” is nothing of the sort unless you call their servers an “end.”

Would I use it to catch up with mates over a beer? Sure. Would I use it for anything remotely required to be confidential? Hell to the no.

This from our CISO
Colleagues,
Zoom has exploded in popularity, both personally and professionally, as people turn to video calling software amid the ongoing coronavirus pandemic. With all this extra attention, Zoom has come under intense scrutiny from security professionals and privacy advocates. Given the public results of many of their findings over this past week, we are suspending usage of Zoom for business-related meetings while we work with the company to ensure their level of security meets our needs. Instead, we recommended that you utilize Skype for Business, Microsoft Teams, as well as Microsoft Office 365 Broadcast for large meetings.

Examples of Recent Security Issues

Zoom bombing
Anyone can “bomb” a public Zoom meeting if they know the meeting number, and then use the file-share photo to post shocking images or make annoying sounds in the audio. There are ways to mitigate this risk, however doing so often limits many of the reasons to use Zoom, such as file or screen sharing.

Windows password stealing
Zoom meetings have side chats in which participants can send text-based messages and post web links. There is a way that, given a unique link sent by a hacker, that they could capture the user’s Windows password “hash” and decrypt it, giving them access to the Zoom user’s Windows account.

Windows malware injection
Similar to above, a hacker can send a special link to an executable file, and if a Zoom user running Windows clicks on it, the user’s computer will try to load and run the software.

iOS profile sharing
Until last week, Zoom sent iOS user profiles to Facebook as part of the “log in with Facebook” feature in the iPhone and iPad Zoom apps, without the user’s knowledge or permission.

Lack of transparency on end-to-end encryption
Zoom has utilized language around end-to-end encryption that was confusing and not with industry norms. This had led to misunderstanding by the user community as to when communications is encrypted, and when it is not.

The security issues with Zoom are just the latest in a series of attacks exploiting public fears about the coronavirus. Bookmark ********to stay up-to-date with the latest information you need to protect yourself online.

Thank you for your continued vigilance and attention.

***********
VP, Chief Information Security Officer

They’ve done quite a few shady things in the past to bypass OS controls and get their software installed. Even with a goal of having as frictionless and idiot-proof an experience as possible, some of it is way too far. Likewise the default meeting settings may make things as easy as it can be to get people in and talking, but opens up all sorts of issues around unwanted guests. And some of their claims around encryption and so on are just flat out BS.

I’ve been around Microsoft comms for several years and have had way too many meetings about meeting policies, why there has to be an authenticated user for the meeting to start, why you don’t want to grant everyone presenter status be default, why dynamic meeting IDs not static, etc. They’re mostly like that because sometimes trusting everyone to get maximum convenience isn’t the best idea.

I do like Zoom as a video experience and have been using it a lot more for social stuff in recent weeks. I just hope their claims of spending the next few months focussing on security over features is time well spent.

I work at a Russell Group University and we have been told Zoom does not meet GDPR criteria so we are not to use it for University business at all. Bearing in mind they rolled out Teams at short notice they are pushing us all to use that. I have issues with Teams, mainly down to the UI as I like to have lots of tabs open and I can’t so that in Teams (AFAIK, I’m no expert!). Other than that, it’s fine.
At home we use Skype or WhatsApp to chat. Can’t be bothered with another messaging app to be honest.